How SAP Authorizations Management Impacts SAP Licensing Compliancy

Commonly, SAP licensing is measured based upon the entitled access of named user accounts within the SAP systems. From my experiecne as a license auditor, working with some of the biggest global SAP organizations, this is the most common licensing principle I’ve come across in SAP contracts. It does however depend on the specific conditions in your SAP contract where usage based terms can exist.

What does licensing based on entitled access mean?

In general, if users are entitled to use certain SAP functionality and perform specific tasks by way of designated access controls (SAP authorizations) then those users should be licensed in a way that reflects those permissions. If your contract stipulates licensing based on the authorized access and you have been licensing users based on what users are actually doing in those systems then there is certainly a potential risk of non-compliance.

In my experience, many customers have been licensing users based on what users are doing in SAP, based on the transaction codes those users have been executing. This is done by analysing usage data also known as STAD data. My professional opinion in these cases was that these customers were non-compliant and potentially significantly underlicensed. The shortfall in license assets held typically as result of being lured into a false sense of security by the usage based assessment of their licensing requirements.

“My professional opinion in these cases was that these customers were non-compliant and potentially significantly underlicensed”

A Practical example

A user has been assigned permissions to (1) create and (2) maintain purchase requisitions (Assuming Limited Professional Activity) and, additionally (3) maintain vendor master data (Assuming Professional Activity). According to the principle of licensing by authorized access and the associated user definitions in the customers contract, the grouping of these tasks requires a Professional license. However, through the customers own methodology of licensing users based on actual usage they have determined that the user has only created purchase requisitions (Assuming Limited Professional Activity) in the past year, therefore has assigned a Limited Professional license to that user. In the case of license by authorized access contract the user would actually require a full professional license to be compliant.

The question is, is the customer compliant with their contract or not? In my opinion, it depends on the definitions within that contract. If the user license definitions read like “An individual who is entitled to perform…” or “is authorized to perform” then this tells me that the customer is not compliant as they have licensed the user based on what the user has done not what the user can do.

License Audit Risk

The major risk here is of a License Audit. License Audit Workbench (LAW) is not capable of interrogating user authorizations to determine the actual license required. USMM, the measurement transaction merely gathers the customer assigned license type from the SAP systems. LAW consolidates all systems accessed to determine the prevailing license type for each user, where the highest usage takes precedence. This means that customers who are managing licensing based on usage data and not authorizations data could be significantly non-compliant to their SAP contracts. You can quite easily submit your USMM/LAW results year upon year without this issue every being raised. Because it doesnt show up in the data that USMM collects. In fact, this is one of the single greatest causes of large value non-compliancy claims. Where the customer has tens of thousand of users this can mean a compliancy gap of seven or even eight figures, which means a potentially costly license audit.

“Where the customer has tens of thousand of users this can mean a compliancy gap of seven or even eight figures, which means a potentially costly license audit.”

Possible Workarounds

If you as a customer are licensing users based on what named users are actually doing in SAP and not what users are entitled to do then there is a solution. Performing a redundant access clean-up project. This involves removing the redundant access provisions that have most likely accumulated over the years. In turn this has likely made your access controls and Segregation of Duties (SoD) risks increase or remain, and now is potentially causing you contract compliancy issues.

If you are relying on a SAM tool for peace of mind, again (which I have covered in a previous blog) then ensure that the tool is actually measuring your SAP landscape based on your SAP contract, not some ‘out of the box’ queries that are providing you with the figures you want to see not the figures that actually count.

If you are relying on some form of tool or script for output, whatever it is make sure that the output reflects your contract. If you are allowing SAP named users to accumulate access rights they potentially no longer need then consider a clean-up project. It will be a two in one win potentially reducing your business risks associated with SAP system access and potentially become more compliant with your SAP contract.

“If you are allowing SAP named users to accumulate access rights they potentially no longer need then consider a clean-up project”

Key Takeaways

The key takeaways from this article is to read your contract! Read the definitions of the user licenses that you have purchased and don’t google them to identify any generic user license definitions that are most likely not relevant to your organization. I would advise you trying to source information on SAP License Management and User License Definitions given that fact that they differ in every contract, and what matters to your organisation is written in yours.

Related Information

SAP License Audit Simulation – Measures actual usage of the SAP software according to contractual defintions comared to licensing entitlements held to determine your SAP liensing and Compliancy position. Our Audit Simulation identifies where redundant access clean-up can be performed in order to truly your optimize SAP licensing.

James Cochlin is Principle Consultant and Head of Audit & Compliancy Services at JNC, A company which has been providing SAP License Management services since 2009. In total James possesses over 12 years’ experience in SAP License Management and Auditing with significant knowledge and experience in SAP security, Authorisations and GRC. In the past, James was an SAP License Auditor for Deloitte. As Global Technical Lead James audited clients around the world on behalf of SAP, and was involved in the development of SAP’s License Audit Methodology. Now James works with customers helping reduce their risk of non-compliance, identify cost savings and avoid the pit-falls of licensing SAP estates. Throughout his consulting career, James has worked at some of the largest clients of SAP helping them solve complex licensing problems whilst helping them regain control of SAP Licensing and Compliancy. James continues to train SAP Consultants on SAP licensing to the highest standards, he was the lead architect of a well know SAP Software Asset Management tool, and is held in high esteem internationally as a leading SME and authority on SAP License Management.

Categories

The SAP logo displayed on this website are the trademark(s) or registered trademark(s) of SAP SE in Germany and in several other countries. SAP is a registered trademark of SAP AG in Germany and in several other countries all over the world.

About JNC - The SAP & GRC Consultancy Experts

As a premium security and compliancy consulting firm we strive to deliver and execute our client’s cost effective SAP compliancy projects whilst positioning them to ensure adequate and robust cost control mechanisms.
Our company portfolio has a range of clients from a multitude of sectors from across the world where we advise and nurture our clients through a range of difficulties in a wide range of tasks.
JNC strives to deliver excellence on all levels and believes in a 360° approach when performing all activities to ensure our clients are compliant in all areas.

JNC have locations in three cities across the continent.

You can find out more about which cookies we are using or switch them off in settings.

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

You can adjust all of your cookie settings by navigating the tabs on the left hand side.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

3rd Party Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping this cookie enabled helps us to improve our website.

Please enable Strictly Necessary Cookies first so that we can save your preferences!